CN111740943A - Anti-attack method, device, equipment and machine readable storage medium - Google Patents
Anti-attack method, device, equipment and machine readable storage medium Download PDFInfo
- Publication number
- CN111740943A CN111740943A CN202010246582.7A CN202010246582A CN111740943A CN 111740943 A CN111740943 A CN 111740943A CN 202010246582 A CN202010246582 A CN 202010246582A CN 111740943 A CN111740943 A CN 111740943A
- Authority
- CN
- China
- Prior art keywords
- address
- message
- authentication
- real
- terminal device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5053—Lease time; Renewal aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The present disclosure provides an anti-attack method, apparatus, device and machine-readable storage medium, the method comprising: detecting whether an initial source address of a message to be sent is a real address; if so, carrying out encryption conversion according to a secret key and a real address by a preset algorithm to obtain an authentication address, wherein the secret key is distributed by the network equipment after being registered in the network equipment in advance; and sending the message by taking the authentication address as a source address, so that the network equipment which forwards and only forwards the message with the source address as the recorded authentication address replaces the source address of the message with a real address and forwards the message. According to the technical scheme, after the address of the message is determined to be the real address, the agreed secret key and the encryption algorithm are converted to obtain the authentication address, then the authentication address is used as the source address to send the message to the network equipment, so that the network equipment can verify the authenticity of the address according to the agreed secret key and the encryption algorithm, deception and faked addresses are filtered out, and two-layer attack is prevented.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to an anti-attack method, apparatus, device, and machine-readable storage medium.
Background
Two-layer forwarding, here the two-layer data link layer in the seven-layer model of the network. The two-layer forwarding is forwarding according to a data link layer, the two-layer forwarding equipment acquires a target MAC address of a message after receiving the message to be forwarded, and forwards the message according to the target MAC address
The MAC address flooding attack means that an attacker sends a large number of forged source MAC addresses by using a tool, so that MAC table entries of a device forwarded by a second layer are learned to be full quickly. The prevention method comprises the following steps: the common prevention method is to limit the number of MAC addresses on the interface of the two-layer access. A list of legitimate MAC addresses may also be statically set so that illegitimate addresses are discarded.
A DHCP server DOS attacks, a hacker can send out a large number of DHCP requests with different source MAC addresses by using a tool similar to Goobler until all addresses of a network segment corresponding to the DHCP server are occupied, the attacks can cause the damage of the DOS, and the attacks can also be combined with the DHCP server in a fraudulent mode to redirect traffic to malicious nodes which intend to carry out traffic interception.
ARP spoofing, ARP is used to realize the binding of MAC address and IP address, so that two workstations can communicate, the workstation of communication initiator sends ARP request in MAC broadcast mode, the workstation with the IP address gives ARP response, and sends back its own IP and MAC address. User a has IP address 1.1.1.1, MAC address: a _ MAC. And the user B actively sends a forged arp message, the IP address of the arp is 1.1.1.1, and the corresponding MAC is the MAC address B _ MAC of the user B. The APR table entries learned by the forwarding device are: the MAC address corresponding to the IP address 1.1.1.1 is B _ MAC, which results in the message that would have been sent to the user a being sent to the user B.
IP/MAC address spoofing, another technique often used by hackers is IP address spoofing. Common types of spoofing are MAC spoofing, IP/MAC spoofing, the purpose of which is typically to forge an identity or gain privileges to an IP/MAC. At present, the attacks are Ping Of Death, Synflood and ICMP unavailable Storm. If a hacker pretends to send a large number of ping packets to the address B by using the address A, all ping responses are returned to the address A, and thus, the denial of service (DoS) attack is implemented, so that the real identity of an attack system can be hidden.
The ARP Flooding attack refers to a packet sending terminal device of a two-layer network, and sends a large amount of forged messages with different source MAC and source IP addresses, so that the device establishes a large amount of unreal ARP table entries.
Attacks at the second layer of the network are the most easily implemented and least easily discovered security threats by network security attackers, whose goal is to disable the network or compromise the network users by obtaining sensitive information such as passwords. Since any legitimate user can obtain access to an ethernet port, these users are likely to become hackers, and since the OSI model is designed to allow different communication layers to work without knowing each other, the security of the second layer becomes critical. If this layer is hacked, network security is severely compromised and communication between other layers continues without any user feeling that the attack has compromised the information security of the application layer.
The two-layer attack is mainly characterized in that after being attacked by hackers, the terminal equipment in the two-layer network sends a source MAC or a source IP of a message, but a deceptive MAC address or an IP address is constructed by using a tool, so that the problem that the terminal equipment is easy to attack through the two-layer network is caused.
Disclosure of Invention
In view of the above, the present disclosure provides an anti-attack method, an anti-attack apparatus, an electronic device, and a machine-readable storage medium, so as to improve the above problem that attacks are easy to pass through a two-layer network.
The specific technical scheme is as follows:
the disclosure provides an anti-attack method, which is applied to terminal equipment, and the method comprises the following steps: detecting whether an initial source address of a message to be sent is a real address; if so, carrying out encryption conversion according to a secret key and a real address by a preset algorithm to obtain an authentication address, wherein the secret key is distributed by the network equipment after being registered in the network equipment in advance; the authentication address is used as a source address, the message is sent, so that the network equipment which forwards and only forwards the message with the source address as the recorded authentication address replaces the source address of the message with a real address and forwards the message; the authentication address recorded by the network device is obtained by the network device through encryption conversion according to the real address when the terminal device is registered, the secret key distributed for the terminal device when the terminal device is registered and a preset algorithm.
As a technical scheme, the real address comprises a real MAC address and/or a real IP address, and the authentication address comprises an authentication MAC address and/or an authentication IP address.
The present disclosure also provides an anti-attack method, applied to a network device, the method includes: receiving a message, and acquiring a source address of the message; if the source address is recorded as authentication address information, a real address corresponding to the authentication address is obtained; after replacing the source address with the real address, forwarding the message; the recorded authentication address is obtained by the network device through encryption conversion according to the real address of the terminal device during registration, the secret key distributed for the terminal device during registration and a preset algorithm.
As a technical scheme, the real address comprises a real MAC address and/or a real IP address, and the authentication address comprises an authentication MAC address and/or an authentication IP address.
As a technical solution, if the source address is not recorded as the authentication address information, the message is discarded.
As a technical scheme, a recording table is established in advance, and the real address of the terminal equipment, the key distributed for the terminal equipment and the authentication address obtained by performing encryption conversion according to the real address of the terminal equipment, the key distributed for the terminal equipment and a preset algorithm during the registration of the terminal equipment are correspondingly recorded.
The present disclosure also provides an anti-attack apparatus, which is applied to a terminal device, the apparatus includes: the detection module is used for detecting whether the initial source address of the message to be sent is a real address; the encryption module is used for carrying out encryption conversion by a preset algorithm according to a secret key and a real address when the initial source address of the message to be sent is a real address, so as to obtain an authentication address, wherein the secret key is distributed by the network equipment after being registered in advance; the sending module is used for sending the message by taking the authentication address as a source address, so that the network equipment which forwards and only forwards the message with the source address as the recorded authentication address replaces the source address of the message with a real address and forwards the message; the authentication address recorded by the network device is obtained by the network device through encryption conversion according to the real address when the terminal device is registered, the secret key distributed for the terminal device when the terminal device is registered and a preset algorithm.
The present disclosure also provides an anti-attack apparatus, which is applied to a network device, and the apparatus includes: the receiving module is used for receiving the message and acquiring a source address of the message; the analysis module is used for acquiring a real address corresponding to the authentication address when the source address is recorded as the authentication address information; the forwarding module is used for forwarding the message after replacing the source address with the real address; the recorded authentication address is obtained by the network device through encryption conversion according to the real address of the terminal device during registration, the secret key distributed for the terminal device during registration and a preset algorithm.
The present disclosure also provides an electronic device, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions capable of being executed by the processor, and the processor executes the machine-executable instructions to implement the foregoing anti-attack method.
The present disclosure also provides a machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the foregoing anti-attack method.
The technical scheme provided by the disclosure at least brings the following beneficial effects:
after the address of the message is determined to be a real address, the address is converted by an agreed key and an encryption algorithm to obtain an authentication address, and then the authentication address is used as a source address to send the message to the network equipment, so that the network equipment can verify the authenticity of the address according to the agreed key and the encryption algorithm, thereby filtering out deception and faked addresses and protecting against two-layer attacks.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present disclosure or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and other drawings can be obtained by those skilled in the art according to the drawings of the embodiments of the present disclosure.
FIG. 1 is a flow chart of an attack prevention method in one embodiment of the present disclosure;
FIG. 2 is a flow chart of an attack prevention device in one embodiment of the present disclosure;
FIG. 3 is a block diagram of an attack prevention method in one embodiment of the present disclosure;
FIG. 4 is a block diagram of an attack-prevention-device in one embodiment of the present disclosure;
fig. 5 is a hardware configuration diagram of an electronic device in an embodiment of the present disclosure.
Detailed Description
The terminology used in the embodiments of the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information in the embodiments of the present disclosure, such information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".
And (3) protecting the MAC address flooding attack: and on the interface of the two-layer access, the number of the MAC addresses is limited. A list of legitimate MAC addresses may also be statically set so that illegitimate addresses are discarded.
And (3) protecting the DHCP server against the DOS attack: a source MAC validity check is performed at the ingress.
Protecting ARP spoofing: to prevent ARP spoofing, binding of ARP and MAC addresses is performed.
Protecting ARP flood attack: setting a threshold value, and discarding the message exceeding the threshold value when the number of the ARP messages in unit time exceeds a certain threshold value.
IP/MAC address spoofing: this type of attack is prevented by the IP address mac binding.
The above methods also have disadvantages:
the limitation of the number of entries of the MAC address table can cause that the entry is occupied by an illegal MAC address, so that a legal MAC address entry cannot be established. The MAC address validity check usually requires manual configuration of a static MAC address table entry, which is poor in usability and maintainability, and a large amount of maintenance work is required for newly added terminal equipment or IP address change. For ARP Flooding, speed limitation is carried out by setting a threshold value, which can cause the ARP request message of a legal user to be discarded. The protection method has one protection method for each attack, the protection strategy is complex, the two-layer attack is difficult to fundamentally stop, and the effective protection is difficult to be carried out on the attack based on MAC and IP address forgery sent by the two-layer terminal equipment.
In view of the above, the present disclosure provides an anti-attack method, an anti-attack apparatus, an electronic device, and a machine-readable storage medium, so as to improve the above problem that attacks are easy to pass through a two-layer network.
The specific technical scheme is as follows.
In one embodiment, the present disclosure provides an anti-attack method applied to a terminal device, where the method includes: detecting whether an initial source address of a message to be sent is a real address; if so, carrying out encryption conversion according to a secret key and a real address by a preset algorithm to obtain an authentication address, wherein the secret key is distributed by the network equipment after being registered in the network equipment in advance; the authentication address is used as a source address, the message is sent, so that the network equipment which forwards and only forwards the message with the source address as the recorded authentication address replaces the source address of the message with a real address and forwards the message; the authentication address recorded by the network device is obtained by the network device through encryption conversion according to the real address when the terminal device is registered, the secret key distributed for the terminal device when the terminal device is registered and a preset algorithm.
Specifically, as shown in fig. 1, the method comprises the following steps:
s11, detecting whether the initial source address of the message to be sent is a real address.
And detecting whether the current source address, namely the initial source address, of the message to be sent locally is a real address or not by using specified security software which is installed forcibly in advance so as to prevent the local message from being controlled by a malicious attacker, and directly discarding the message if the current source address is not the real address.
And S12, if yes, carrying out encryption conversion by a preset algorithm according to the key and the real address to obtain the authentication address.
The key is distributed by the network device after being registered with the network device in advance, the registration is initiated by the specified security software, and the preset algorithm is stored in the specified security software or is obtained from the network device in the registration process, so that the registration process cannot be completed if the specified security software is not installed in the terminal device, namely, the purpose of forced installation is achieved.
And S13, sending the message by using the authentication address as a source address.
And the network equipment which forwards the message with the source address as the recorded authentication address replaces the source address of the message with the real address and forwards the message. The authentication address recorded by the network device is obtained by the network device through encryption conversion according to the real address when the terminal device is registered, the secret key distributed for the terminal device when the terminal device is registered and a preset algorithm.
In this embodiment, the network device may be a forwarding device, such as a gateway, a switch, a router, or any other device that receives, sends, and forwards a packet.
The network device records the real address of the terminal device verified and informed by the appointed security software during registration after the terminal device is provided with the appointed security software and initiates a registration process, distributes a key for the terminal device, then obtains an authentication address through encryption conversion according to the key distributed by the real address of the terminal device by a preset algorithm consistent with the terminal device, and then records the authentication address, the real address, the key and the corresponding relation thereof at a local or other storage position which can be read, written and modified by the network device.
When the network equipment receives the message sent by the terminal equipment, whether the current source address is the authentication address recorded locally or not is verified, if yes, the address information is considered to be not disguised, tampered or deceived, then the real address corresponding to the authentication address is called from the locally recorded information, the real address is replaced to the new source address of the message, and then the message is forwarded. If the current source address is not the authentication address recorded locally when the message is received, the message is considered to be an illegal message, or the terminal device sending the message is not provided with the designated security software, so the message is discarded.
The above completes the attack prevention, thereby improving the problem of easy attack through the two-layer network.
In one embodiment, the real address includes a real MAC address and/or a real IP address and the authentication address includes an authentication MAC address and/or an authentication IP address.
The address may be a MAC address or an IP address or both.
In one embodiment, the present disclosure provides an anti-attack method applied to a network device, the method including: receiving a message, and acquiring a source address of the message; if the source address is recorded as authentication address information, a real address corresponding to the authentication address is obtained; after replacing the source address with the real address, forwarding the message; the recorded authentication address is obtained by the network device through encryption conversion according to the real address of the terminal device during registration, the secret key distributed for the terminal device during registration and a preset algorithm.
Specifically, as shown in fig. 2, the method comprises the following steps:
step S21, receiving the message, and obtaining the source address of the message.
This is the current source address of the message when it is received.
In step S22, if the source address is recorded as the authentication address information, a real address corresponding to the authentication address is obtained.
The recorded authentication address is obtained by the network device through encryption conversion according to the real address of the terminal device during registration, the secret key distributed for the terminal device during registration and a preset algorithm. The network equipment records the real address of the terminal equipment verified and informed by the appointed security software during registration after the terminal equipment is provided with the appointed security software and initiates a registration process, distributes a secret key for the terminal equipment, and then encrypts and converts the secret key distributed for the terminal equipment according to the real address of the terminal equipment by a preset algorithm consistent with the terminal equipment to obtain an authentication address. The authentication address, real address, key and their corresponding relationships are then recorded locally or at other storage locations that can be read, written, modified by the network device.
When the network equipment receives the message sent by the terminal equipment, the network equipment verifies whether the current source address is the authentication address recorded locally, if so, the address information is considered not to be disguised, tampered or deceived, then the real address corresponding to the authentication address is called from the locally recorded information,
step S23, the source address is replaced by the real address, and then the message is forwarded.
And replacing the real address with the new source address of the message, and then forwarding the message.
In one embodiment, the real address includes a real MAC address and/or a real IP address and the authentication address includes an authentication MAC address and/or an authentication IP address.
The address may be a MAC address or an IP address or both.
In one embodiment, if the source address is not recorded as the authentication address information, the message is discarded.
If the current source address is not the authentication address recorded locally when the message is received, the message is considered to be an illegal message, or the terminal device sending the message is not provided with the designated security software, so the message is discarded.
In one embodiment, a record table is established in advance, and the real address of the terminal device, the key distributed to the terminal device, and the authentication address obtained by performing encryption conversion according to the real address of the terminal device, the key distributed to the terminal device, and a preset algorithm when the terminal device is registered are correspondingly recorded.
And establishing a recording table to record the authentication address, the real address, the secret key and the corresponding relation thereof, so as to conveniently and quickly read and distinguish whether the authentication address exists and obtain the real address corresponding to the authentication address.
The above completes the attack prevention, thereby improving the problem of easy attack through the two-layer network.
In one embodiment, the present disclosure provides an attack-prevention apparatus, as shown in fig. 3, applied to a terminal device, the apparatus including: the detection module 31 detects whether the initial source address of the message to be sent is a real address; the encryption module 32 is configured to perform encryption conversion with a preset algorithm according to a secret key and a real address when an initial source address of a message to be sent is a real address, so as to obtain an authentication address, where the secret key is distributed by a network device after being registered in advance with the network device; a sending module 33, configured to send a message with the authentication address as a source address, so that a network device that forwards and only forwards the message with the source address as the recorded authentication address replaces the source address of the message with a real address and forwards the message; the authentication address recorded by the network device is obtained by the network device through encryption conversion according to the real address when the terminal device is registered, the secret key distributed for the terminal device when the terminal device is registered and a preset algorithm.
The device embodiments are the same or similar to the corresponding method embodiments and therefore are not described in detail herein.
In one embodiment, the present disclosure provides an attack-prevention apparatus, as shown in fig. 4, applied to a network device, the apparatus including: a receiving module 41, configured to receive a message and obtain a source address of the message; the analysis module 42 is configured to, when the source address is recorded as the authentication address information, obtain a real address corresponding to the authentication address; a forwarding module 43, configured to forward the packet after replacing the source address with the real address; the recorded authentication address is obtained by the network device through encryption conversion according to the real address of the terminal device during registration, the secret key distributed for the terminal device during registration and a preset algorithm.
The device embodiments are the same or similar to the corresponding method embodiments and therefore are not described in detail herein.
In a networking, PC1, PC2, PC3, PC4 and forwarding devices (e.g., switches) form a two-layer networking.
The method comprises the steps that a safety plug-in (namely designated safety software) is installed on a PC (namely terminal equipment), the safety plug-in extracts an MAC (media access control) address and an IP (Internet protocol) address of a PC network card to serve as parameters to be recorded in the plug-in, and meanwhile, the safety plug-in sends a registration message to forwarding equipment (namely network equipment) to obtain an identity key secKey (namely a key) provided by the forwarding equipment.
The message sent by the PC to the forwarding equipment passes through the security plug-in, and the security plug-in checks whether the source MAC address and the source IP of the message are the real MAC address and the real IP address of the equipment or not, and discards the message if the source IP is not the real MAC address and the real IP address of the equipment. If yes, the source MAC address, the source IP address and the secKey are calculated to a certain extent, an authentication MAC address AU _ MAC is calculated, the AU _ MAC is used as the source MAC, and the message is sent to the forwarding equipment.
And the forwarding equipment records the secKey, the real MAC address and the real IP address of the PC and the authentication MAC address AU _ MAC calculated by the same method as the PC in the registration stage of the PC, and records the items as list items in the Sec _ MAC _ Info.
After the forwarding device receives the message, the current source MAC address Sou _ MAC of the message is extracted, Sou _ MAC is used for matching AU _ MAC in Sec _ MAC _ Info, if the AU _ MAC is not matched with the AU _ MAC, the message is considered to be an illegal message to be discarded, otherwise, the real MAC address of the table entry is obtained, the message source MAC is replaced by the real MAC address, and then two-layer processing is carried out.
And forwarding the message sent to the terminal by the equipment, wherein the target MAC is the real MAC address of the terminal equipment.
In one embodiment, the present disclosure provides an electronic device, which includes a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions capable of being executed by the processor, and the processor executes the machine-executable instructions to implement the foregoing anti-attack method, and from a hardware level, a schematic diagram of a hardware architecture may be shown in fig. 5.
In one embodiment, the present disclosure provides a machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the foregoing anti-attack method.
Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and so forth. For example, the machine-readable storage medium may be: a RAM (random access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
The systems, devices, modules or units described in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more software and/or hardware implementations in practicing the disclosure.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (which may include, but is not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an embodiment of the present disclosure, and is not intended to limit the present disclosure. Various modifications and variations of this disclosure will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present disclosure should be included in the scope of the claims of the present disclosure.
Claims (10)
1. An anti-attack method is applied to a terminal device, and comprises the following steps:
detecting whether an initial source address of a message to be sent is a real address;
if so, carrying out encryption conversion according to a secret key and a real address by a preset algorithm to obtain an authentication address, wherein the secret key is distributed by the network equipment after being registered in the network equipment in advance;
the authentication address is used as a source address, the message is sent, so that the network equipment which forwards and only forwards the message with the source address as the recorded authentication address replaces the source address of the message with a real address and forwards the message;
the authentication address recorded by the network device is obtained by the network device through encryption conversion according to the real address when the terminal device is registered, the secret key distributed for the terminal device when the terminal device is registered and a preset algorithm.
2. The method of claim 1, wherein the real address comprises a real MAC address and/or a real IP address and the authentication address comprises an authentication MAC address and/or an authentication IP address.
3. An anti-attack method applied to a network device, the method comprising:
receiving a message, and acquiring a source address of the message;
if the source address is recorded as authentication address information, a real address corresponding to the authentication address is obtained;
after replacing the source address with the real address, forwarding the message;
the recorded authentication address is obtained by the network device through encryption conversion according to the real address of the terminal device during registration, the secret key distributed for the terminal device during registration and a preset algorithm.
4. The method of claim 3, wherein the real address comprises a real MAC address and/or a real IP address and the authentication address comprises an authentication MAC address and/or an authentication IP address.
5. The method of claim 3, wherein if the source address is not recorded as authenticated address information, discarding the message.
6. The method according to claim 3, wherein a record table is pre-established, and the real address of the terminal device, the key distributed to the terminal device, and the authentication address obtained by performing encryption conversion according to the real address of the terminal device, the key distributed to the terminal device, and a preset algorithm when the terminal device is registered are correspondingly recorded.
7. An attack prevention apparatus, applied to a terminal device, the apparatus comprising:
the detection module is used for detecting whether the initial source address of the message to be sent is a real address;
the encryption module is used for carrying out encryption conversion by a preset algorithm according to a secret key and a real address when the initial source address of the message to be sent is a real address, so as to obtain an authentication address, wherein the secret key is distributed by the network equipment after being registered in advance;
the sending module is used for sending the message by taking the authentication address as a source address, so that the network equipment which forwards and only forwards the message with the source address as the recorded authentication address replaces the source address of the message with a real address and forwards the message;
the authentication address recorded by the network device is obtained by the network device through encryption conversion according to the real address when the terminal device is registered, the secret key distributed for the terminal device when the terminal device is registered and a preset algorithm.
8. An anti-attack apparatus applied to a network device, the apparatus comprising:
the receiving module is used for receiving the message and acquiring a source address of the message;
the analysis module is used for acquiring a real address corresponding to the authentication address when the source address is recorded as the authentication address information;
the forwarding module is used for forwarding the message after replacing the source address with the real address;
the recorded authentication address is obtained by the network device through encryption conversion according to the real address of the terminal device during registration, the secret key distributed for the terminal device during registration and a preset algorithm.
9. An electronic device, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to perform the method of any of claims 1-6.
10. A machine-readable storage medium having stored thereon machine-executable instructions which, when invoked and executed by a processor, cause the processor to implement the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010246582.7A CN111740943B (en) | 2020-03-31 | 2020-03-31 | Anti-attack method, device, equipment and machine readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010246582.7A CN111740943B (en) | 2020-03-31 | 2020-03-31 | Anti-attack method, device, equipment and machine readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111740943A true CN111740943A (en) | 2020-10-02 |
| CN111740943B CN111740943B (en) | 2022-04-01 |
Family
ID=72646823
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010246582.7A Active CN111740943B (en) | 2020-03-31 | 2020-03-31 | Anti-attack method, device, equipment and machine readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111740943B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113347198A (en) * | 2021-06-23 | 2021-09-03 | 深圳壹账通智能科技有限公司 | ARP message processing method, device, network equipment and storage medium |
| CN113596022A (en) * | 2021-07-27 | 2021-11-02 | 北京卫达信息技术有限公司 | Apparatus and method for identifying malicious sources within a network |
| CN113660274A (en) * | 2021-08-18 | 2021-11-16 | 中国电信股份有限公司 | Website information processing method and device, storage medium and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101119371A (en) * | 2007-08-28 | 2008-02-06 | 杭州华三通信技术有限公司 | Method, client terminal, server and system for preventing network attack using ARP |
| CN101567891A (en) * | 2009-05-31 | 2009-10-28 | 成都市华为赛门铁克科技有限公司 | Source address verification method, device and system |
| CN103095584A (en) * | 2013-02-04 | 2013-05-08 | 杭州华三通信技术有限公司 | Message processing method and exchange equipment |
| WO2018133674A1 (en) * | 2017-01-18 | 2018-07-26 | 西安慧博习兆信息技术有限公司 | Method of verifying and feeding back bank payment permission authentication information |
| CN110798546A (en) * | 2019-11-08 | 2020-02-14 | 杭州海兴电力科技股份有限公司 | DUID-based DHCP client access authentication method |
-
2020
- 2020-03-31 CN CN202010246582.7A patent/CN111740943B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101119371A (en) * | 2007-08-28 | 2008-02-06 | 杭州华三通信技术有限公司 | Method, client terminal, server and system for preventing network attack using ARP |
| CN101567891A (en) * | 2009-05-31 | 2009-10-28 | 成都市华为赛门铁克科技有限公司 | Source address verification method, device and system |
| CN103095584A (en) * | 2013-02-04 | 2013-05-08 | 杭州华三通信技术有限公司 | Message processing method and exchange equipment |
| WO2018133674A1 (en) * | 2017-01-18 | 2018-07-26 | 西安慧博习兆信息技术有限公司 | Method of verifying and feeding back bank payment permission authentication information |
| CN110798546A (en) * | 2019-11-08 | 2020-02-14 | 杭州海兴电力科技股份有限公司 | DUID-based DHCP client access authentication method |
Non-Patent Citations (1)
| Title |
|---|
| 李扬继等: "ARP协议的攻击与防范", 《兵工自动化》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113347198A (en) * | 2021-06-23 | 2021-09-03 | 深圳壹账通智能科技有限公司 | ARP message processing method, device, network equipment and storage medium |
| CN113347198B (en) * | 2021-06-23 | 2022-07-08 | 深圳壹账通智能科技有限公司 | ARP message processing method, device, network equipment and storage medium |
| CN113596022A (en) * | 2021-07-27 | 2021-11-02 | 北京卫达信息技术有限公司 | Apparatus and method for identifying malicious sources within a network |
| CN113660274A (en) * | 2021-08-18 | 2021-11-16 | 中国电信股份有限公司 | Website information processing method and device, storage medium and electronic equipment |
| CN113660274B (en) * | 2021-08-18 | 2023-04-07 | 中国电信股份有限公司 | Website information processing method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111740943B (en) | 2022-04-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Mallik | Man-in-the-middle-attack: Understanding in simple words | |
| CN111740943B (en) | Anti-attack method, device, equipment and machine readable storage medium | |
| US9699158B2 (en) | Network user identification and authentication | |
| US8966619B2 (en) | Prevention of denial of service (DoS) attacks on session initiation protocol (SIP)-based systems using return routability check filtering | |
| US20130254888A1 (en) | System and method for identifying security breach attempt of a website | |
| Baitha et al. | Session hijacking and prevention technique | |
| US20070294759A1 (en) | Wireless network control and protection system | |
| US20070118894A1 (en) | Method for responding to denial of service attacks at the session layer or above | |
| CA2597763A1 (en) | Context limited shared secret | |
| Hijazi et al. | Address resolution protocol spoofing attacks and security approaches: A survey | |
| Parthasarathy | Protocol for carrying authentication and network access (PANA) threat analysis and security requirements | |
| Supriyanto et al. | Survey of internet protocol version 6 link local communication security vulnerability and mitigation methods | |
| CN102438028A (en) | Method, device and system for preventing fraud of dynamic host configuration protocol (DHCP) server | |
| CN108924122B (en) | Network friend or foe identification method and system | |
| CN113206858A (en) | Mobile target defense method based on internet of things DDoS attack | |
| Raza et al. | vepc-sec: Securing lte network functions virtualization on public cloud | |
| Alsadeh et al. | Cryptographically Generated Addresses (CGAs): Possible attacks and proposed mitigation approaches | |
| CN108965309B (en) | Data transmission processing method, device, system and equipment | |
| KR20080040256A (en) | Method for ip address authentication in ipv6 network, and ipv6 network system | |
| CN113810398B (en) | Attack protection method, device, equipment and storage medium | |
| US20220103582A1 (en) | System and method for cybersecurity | |
| CN105790932A (en) | Encryption method through using machine codes as bases | |
| Kambourakis et al. | Signaling-oriented DoS attacks in UMTS networks | |
| Haitao et al. | The security issues and countermeasures in Mobile IP | |
| Sher et al. | 3G-WLAN convergence: Vulnerability, attacks possibilities and security model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |